|
 |
8ddd42 |
Change the DH key length from 512 to 1024 bits to meet minimum requirements
|
|
|
8ddd42 |
of FIPS 140-2. (In principle we could use the larger size only when FIPS
|
|
|
8ddd42 |
mode is on, but it doesn't seem worth the trouble.)
|
|
|
8ddd42 |
|
|
|
8ddd42 |
The new parameter value was generated using "openssl dhparam -C 1024".
|
|
|
8ddd42 |
|
|
|
8ddd42 |
|
|
|
8ddd42 |
diff -up mariadb-10.0.16/vio/viosslfactories.c.orig mariadb-10.0.16/vio/viosslfactories.c
|
|
|
8ddd42 |
--- mariadb-10.0.16/vio/viosslfactories.c.orig 2015-01-25 16:21:38.000000000 +0100
|
|
|
8ddd42 |
+++ mariadb-10.0.16/vio/viosslfactories.c 2015-02-03 10:48:26.012560285 +0100
|
|
|
8ddd42 |
@@ -20,27 +20,32 @@
|
|
|
8ddd42 |
static my_bool ssl_algorithms_added = FALSE;
|
|
|
8ddd42 |
static my_bool ssl_error_strings_loaded= FALSE;
|
|
|
8ddd42 |
|
|
|
8ddd42 |
-static unsigned char dh512_p[]=
|
|
|
8ddd42 |
+static unsigned char dh1024_p[]=
|
|
|
8ddd42 |
{
|
|
|
8ddd42 |
- 0xDA,0x58,0x3C,0x16,0xD9,0x85,0x22,0x89,0xD0,0xE4,0xAF,0x75,
|
|
|
8ddd42 |
- 0x6F,0x4C,0xCA,0x92,0xDD,0x4B,0xE5,0x33,0xB8,0x04,0xFB,0x0F,
|
|
|
8ddd42 |
- 0xED,0x94,0xEF,0x9C,0x8A,0x44,0x03,0xED,0x57,0x46,0x50,0xD3,
|
|
|
8ddd42 |
- 0x69,0x99,0xDB,0x29,0xD7,0x76,0x27,0x6B,0xA2,0xD3,0xD4,0x12,
|
|
|
8ddd42 |
- 0xE2,0x18,0xF4,0xDD,0x1E,0x08,0x4C,0xF6,0xD8,0x00,0x3E,0x7C,
|
|
|
8ddd42 |
- 0x47,0x74,0xE8,0x33,
|
|
|
8ddd42 |
+ 0xBF,0x5C,0xFA,0xD1,0xDD,0xBB,0xB3,0x0A,0x58,0x29,0x05,0xF5,
|
|
|
8ddd42 |
+ 0x7D,0x64,0xB2,0xE1,0xCE,0xE8,0xE0,0xE1,0x7A,0xB6,0xBC,0x5B,
|
|
|
8ddd42 |
+ 0x21,0x56,0xDF,0x2C,0x82,0x60,0xDC,0x31,0xCA,0x1E,0x02,0xFE,
|
|
|
8ddd42 |
+ 0xC4,0xE7,0x24,0x63,0x31,0xE4,0x67,0x1C,0x0B,0xFF,0x86,0x12,
|
|
|
8ddd42 |
+ 0x0D,0x2E,0xE6,0x35,0x0A,0x07,0x4F,0xE7,0x3F,0xDE,0xFE,0xF0,
|
|
|
8ddd42 |
+ 0x13,0x1C,0xA2,0x2B,0xF4,0xEE,0x2C,0x90,0x10,0x57,0x6B,0x2B,
|
|
|
8ddd42 |
+ 0xB9,0x1E,0x1B,0x47,0xB0,0x25,0xBF,0x45,0x86,0xDA,0x87,0x35,
|
|
|
8ddd42 |
+ 0x2C,0xF5,0x6A,0x41,0xA2,0x57,0xD8,0x16,0x5E,0x82,0x91,0x99,
|
|
|
8ddd42 |
+ 0x33,0xA0,0x8B,0x9D,0x34,0xCE,0x03,0x01,0x80,0x32,0x07,0x3B,
|
|
|
8ddd42 |
+ 0xF2,0x93,0xFC,0x3A,0x25,0xEC,0xB3,0xED,0x5C,0x4E,0x57,0xF2,
|
|
|
8ddd42 |
+ 0x3C,0x2E,0x0D,0xB1,0x59,0xA2,0x08,0x93,
|
|
|
8ddd42 |
};
|
|
|
8ddd42 |
|
|
|
8ddd42 |
-static unsigned char dh512_g[]={
|
|
|
8ddd42 |
+static unsigned char dh1024_g[]={
|
|
|
8ddd42 |
0x02,
|
|
|
8ddd42 |
};
|
|
|
8ddd42 |
|
|
|
8ddd42 |
-static DH *get_dh512(void)
|
|
|
8ddd42 |
+static DH *get_dh1024(void)
|
|
|
8ddd42 |
{
|
|
|
8ddd42 |
DH *dh;
|
|
|
8ddd42 |
if ((dh=DH_new()))
|
|
|
8ddd42 |
{
|
|
|
8ddd42 |
- dh->p=BN_bin2bn(dh512_p,sizeof(dh512_p),NULL);
|
|
|
8ddd42 |
- dh->g=BN_bin2bn(dh512_g,sizeof(dh512_g),NULL);
|
|
|
8ddd42 |
+ dh->p=BN_bin2bn(dh1024_p,sizeof(dh1024_p),NULL);
|
|
|
8ddd42 |
+ dh->g=BN_bin2bn(dh1024_g,sizeof(dh1024_g),NULL);
|
|
|
8ddd42 |
if (! dh->p || ! dh->g)
|
|
|
8ddd42 |
{
|
|
|
8ddd42 |
DH_free(dh);
|
|
|
8ddd42 |
@@ -257,7 +262,7 @@ new_VioSSLFd(const char *key_file, const
|
|
|
8ddd42 |
}
|
|
|
8ddd42 |
|
|
|
8ddd42 |
/* DH stuff */
|
|
|
8ddd42 |
- dh=get_dh512();
|
|
|
8ddd42 |
+ dh=get_dh1024();
|
|
|
8ddd42 |
SSL_CTX_set_tmp_dh(ssl_fd->ssl_context, dh);
|
|
|
8ddd42 |
DH_free(dh);
|
|
|
8ddd42 |
|